On November 19, 2020, Peter Driscoll, director of the Office of Compliance Inspection and Examination (“OCIE”) of the Securities and Exchange Commission (“SEC”), gave a speech urging advisory firms to empower their Chief Compliance Officers (“CCOs”). The speech, made at the SEC’s annual compliance outreach conference, accompanied OCIE’s Risk Alert, issued the same day, identifying notable deficiencies and weaknesses regarding Registered Investment Advisors (“RIAs”) CCOs and compliance departments. Driscoll’s speech complemented the Risk Alert by outlining the fundamental requirements for CCOs: “empowered, senior and with authority.”
Under Rule 206(4)-7 promulgated under the Investment Advisers Act of 1940, 17 C.F.R. § 270.38a-1 (the “Compliance Rule”), an RIA must adopt and implement written policies and procedures reasonably designed to prevent violation of the Advisers Act and the rules thereunder. According to Driscoll, this cannot be done unless the RIA’s CCO is empowered to fully administer the firm’s policies and procedures and holds a position of sufficient seniority and authority to compel others to comply with those policies and procedures. In its Risk Alert, OCIE identified common compliance deficiencies among RIAs directly stemming from an unempowered CCO, including a lack of sufficient human resources to implement policies and procedures, failure of executive management to support the CCO, and even firing the CCO for reporting suspicious behavior. In order to address and prevent these deficiencies, Driscoll described a set baseline expectations regulators should look for, and which firms can adopt, in assessing the power and authority of the CCO and compliance function.
- Compliance Resources: RIAs should continually reassess their budgetary needs based on their business model, size, sophistication, adviser representative population and dispersal, and provide for sufficient resources as necessary for compliance with applicable laws. This may mean hiring additional compliance staff and upgrading information technology infrastructure, especially if the firm has grown or taken on a new business. Compliance staff should be trained, at a minimum, to perform annual reviews, accurately complete and file advisor registration forms (Form ADV), and timely respond to OCIE requests for required books and records.
- Responsibility of CCOs: While CCOs may have multiple responsibilities, they must be, at a minimum, knowledgeable of the Advisers Act and its mandates in order to fulfill their responsibilities as CCO. CCOs should not only assist firms from avoiding compliance failures, but should also provide guidance on new or amended rules.
- Authority of CCOs: Senior management should vest CCOs with ample authority and routinely interact with them. CCOs need to understand their firm’s business and, when necessary, be brought into the business decision-making process. CCOs should also have access to critical operational information such as trading exception reports and investment advisory agreements with key clients. CCOs should be consulted on all matters with potential compliance implications, such as disclosures of conflicts to clients, calculation of fees, and client asset protection.
- Position of CCOs: At a minimum, CCOs should report directly to senior management, and preferably be a part of senior management. CCOs should not be mid-level officers or placed under the Chief Financial Officer function.
- Security of CCOs: CCOs should have confidence that they can raise compliance issues with the backing and support of senior management without being scapegoated or terminated.
These expectations should not be read as an exhaustive checklist but as a preliminary framework for evaluating the effectiveness of a firm’s compliance function and its CCO – key elements of a firm’s ability to comply with the mandates of the Compliance Rule. This framework can be also be used to ensure the firm’s compliance function is appropriately tailored to its size, business model, and compliance culture.